MS-DEFCON 2: Patch Tuesday’s tomorrow – make sure you have Automatic Update paused

Topic

New Reply

Once more around the ol’ Windows karmic wheel…. Tomorrow’s Patch Tuesday. Today’s the day you should double-check and make sure you have Windows Upd
[See the full post at: MS-DEFCON 2: Patch Tuesday’s tomorrow – make sure you have Automatic Update paused]

11 users thanked author for this post.

jburk07, abbodi86, pandarunnerpt, Morty, MrChaz, Elly, SueW, geekdom, scoobydoo, Pepsiboy, Alex5723

Reply | Quote

Replies

I’d like to remind people using W10 Pro Group Policy setting #2 not to use the Pause setting.

If GP is set to #2, when resume updating is clicked, all updates will start downloading, without notification, completely disregarding the #2 setting of ‘notify for download and install’.

Pausing updates is important for W10 Home users, and as Woody says in the Computer World article, should be reset now, to avoid unwanted updating.

Non-techy Win 10 Pro and Linux Mint experimenter

3 users thanked author for this post.

Coldheart9020, jburk07, LH

Reply | Quote

Make backups before the big day because an unplanned update is possible.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

2 users thanked author for this post.

Elly, jburk07

Reply | Quote

Just so I understand. MS issues security updates for vulnerabilities, but the advice is not to patch those vulnerabilities for 3 more weeks, leaving your computer vulnerable to exploits that the patch is supposed to prevent.

Reply | Quote

Obviously, you don’t understand.
MS issues security updates with BUGS, and the advice is to wait until those bugs are identified (unless there is an active exploit that makes immediate patching necessary, which there rarely is)  so you don’t end up with computer problems. We keep an eye out for active exploits always, but we also collect information about patch problems. When the time is right and the problems are known, Woody gives the go-ahead and publishes instructions for safe patching.

But for those who want to be Guinea pigs on the front line, feel free to test things for us.

6 users thanked author for this post.

Coldheart9020, Speed Racer, SueW, woody, Elly, DLivesInTexas

Reply | Quote

Obviously I do understand that my computers over the past 20 years have never exploded by installing a patch the same day it’s available.

 

And the sun still came up the next day too, as it did for millions of other computers.

Reply | Quote

True. But just because a lot of people don’t have problems doesn’t mean that some people didn’t have any—and received no shortage of headache from it.

A healthy dose of skepticism and caution doesn’t hurt. It’s usually impulse that burns.

Reply | Quote

Mine never exploded either, but I stopped installing patches the same day they were issued donkeys years ago, when I discovered that not infrequently following installation various programs/software packages failed to function properly and I was left chasing websites for fixes. More hassle than it’s worth. And I’ve never landed a virus through waiting for Defcon 3:)

1 user thanked author for this post.

Coldheart9020

Reply | Quote

I have a Windows 7 laptop is use at home, which never exploded too, with blocked Microsoft updates since day 1 of Windows 10 ( 5 years !!). No viruses as well.

Reply | Quote

Every month I get this question, and every month I post a challenge:

Tell me one — just one — zero-day patch that was widely exploited within a few weeks of the patch being delivered.

Here’s the list that I came up with a couple of months ago:

• WannaCry/EternalBlue – patched April 11, 2017. Exploited May 12, 2017. More than a  month from patch to exploit – and it was a bad exploit! UPDATE: Andy Greenberg at Wired just published an excellent story about Marcus Hutchins, the guy who corralled WannaCry.
• Blaster – patched May 28, 2003. Exploited August 11, 2003. Almost three months.
• Sasser – patched April 13, 2004. Exploited April 30, 2004. Two weeks to exploit, and that’s scary. But it was 16 years ago.

So it’s true that, 16 years ago, a patched zero-day was widely exploited within a couple of weeks. Other than Sasser, all of the major exploits I know about took many weeks or months. You have to patch sooner or later, but there’s no reason to patch right away.

Do you know of any others?

(By contrast, every month we get bugs, some major some simply annoying. I have a running month-by-month three year history of the bugs in Computerworld.)

1 user thanked author for this post.

geekdom

Reply | Quote

KB4565503 Cumulative Update for Windows 10 Version 2004 for x64 based Systems
KB4565627 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 10 Version 2004 for x64

Successfully installed on both sides of my dual boot; no hiccups.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

[Speed Racer]

So I have a few items to review please…

1.  Article: “Reports of Win10 1909 users getting pushed onto version 2004.”

• Kudos and Thank You to @Paul T, @PKCano, and @Alex5723 regarding my 6/15 post.  All went smoothly and v2004 did not install on either of my Win10 Pro PC’s.  Strange thing is on one of them I was able to pause updates all the way to November…who’d a thunk?

2.  Regarding “MS-DEFCON 2: Patch Tuesday’s tomorrow – make sure you have Automatic Update paused”

• @PKCano…Monday night I ran data & system image backups then followed AKB2000016 .  Per the KB article I followed your setup in Step 4 (GP: 2; Feature updates: 365; Quality updates: 0; Metered connection: off).  On Tuesday morning I ran and installed the June CU’s (hopefully this was the right action as I don’t recall seeing an “all clear notice” from Woody).  I also ran wush and hid the Silverlight update since its dead anyways.  I immediately paused updates until 8/17.  After reading the post, “Win10 May Uninstalled – Wait for June “Approval”​ from @WSTerryGH and replies from @Elly, I saw I should not have set up the pause updates.  I have a couple questions for clarification please:

 

• PC #1 has the following message, “The windows 10 May 2020 update is on the way once it’s ready for your device you’ll see the update available on this page” and PC #2 does not.  It appears PC #1 will not get the v2004 update any time soon, therefore I should probably remove the pause, let this PC automatically check for updates, and immediately run wush to prevent the July updates from installing, until Woody gives the ok, then keep pause updates cleared to allow GP2 to work properly.  Am I understanding this & how the Step 4 setup is supposed to work?  Then on PC #2, which may be offered the v2004 update, I should follow the same steps as I did for PC #1, using wush to hopefully prevent v2004 from installing, then leave pause alone.  Again, am I understanding correctly?

 

• PC #2: Using regedit to verify the GP and WU settings, I saw this PC was missing the semi-annual channel setting “BranchReadinessLevel” value of (32).  Why would PC #1 show this correctly and PC #2 not?  Should I be concerned, and if so, how do I go about correcting this?

Other miscellaneous questions:

• In using EaseUS Todo Backup (free version) for my System Image, I noticed in the app/program there is a restore function.  Since the free version allows for backup & restore to the same drive, would I be in a bind if I had a catastrophic failure where I had a boot drive failure (which I’ve had before)?  Also, if I had to recover (without a drive failure) using my System Image backup, would I simply be able to reimage using my backup, or would I need to use the restore function from EaseUS Todo?

 

• Regarding backups.  I’m currently using 2 Seagate Backup Plus (2TB) drives with their included Toolkit backup software for my data backups, one for each PC, keeping them separate.  I’m also using 2 128GB USB sticks for my system image backup, 1 for each PC, again keeping them separate.  In keeping with the principle of using a separate 2TB drive for each PC, should I go ahead and save PC #1 Data backup & System Image to one drive, and PC #2 to the other, eliminating the USB sticks altogether?  Is there any good reason to keep the System Image backups separated from the Data backup?

Sorry for being a bit long winded.  Looking forward to hearing back. Thanks again!!!

 

ASUS TUF SABERTOOTH Z170s Motherboard, Intel i7-6700k CPU, Corsair 32GB DDR4-3200 RAM, ASUS ROG STRIX GeForce GTX-1070 Video Card, 1x BPX M.2 240GB NVMe SSD, 1x Samsung 850 EVO 1TB SSD, 2x WD Black 6TB HDD, Windows 10 Pro 64bit v1909

• This reply was modified 4 years, 9 months ago by Speed Racer.

Reply | Quote

Read carefully the caveats in Sections 3 & 4. If you are using GP “2” (notify download/install) you don’t need Pause or Metered connections in v1903/1909. Pause will keep you from seeing what is coming. And both are an invitation to installs when you remove them.

I think if you disconnect from the Internet, remove Pause and let the search fail, that it will clear the WU queue. Then with your settings of Quality deferral = 0 and GP = “2” you should see the July updates but they won’t download. Feature deferral = 365 should keep you from getting v2004 until you lower the deferral. In fact, with that setting you won’t get the optional section “Download and install now” either.

The Semi-Annuul Channel setting comes from a Windows Update for Business setting in GP. All of the Windows Update for Business settings should be “not configured” for v1903/1909, but will be needed for v2004 (Section 5) when the pulldowns in the GUI disappear. See the second screenshot in #2275043.

3 users thanked author for this post.

Speed Racer, Coldheart9020, Elly

Reply | Quote

OK, so what do you do if you weren’t aware Micrsoft was about to update Microsoft Office and it started automatically when I turned my laptop on.
I then encountered an error message when I tried to open Microsoft Outlook.
What do I do now?  I don’t want to uninstall and reinstall Office, or Outlook, because I have a large .pst file which has been brought forward critical records from three successive laptops.

Reply | Quote

See this thread on the Main Blog Page.

1 user thanked author for this post.

Elly

Reply | Quote

Oh joy. Two of five W10Pro 1909 boxes automatically installed the July updates in spite of  W10 Pro Group Policy setting #2. GP setting is still in place, reflecting the config after 1909 install. No, I did NOT push the button. Sigh.

Reply | Quote

Did you set any Pause? If you did, when the Pause ends it ignores the “2” setting and installs anyway. If you use Group Policy “2” and the deferrals in v1909, do not use Pause or Metered connections. See the caveats in AKB2000016 in Sections 3 and 4.

Reply | Quote

No pause set, no metered connection, on either offending box.

Reply | Quote